Managing Passwords

You can manage the password for the users as follows:

• Change a User's Password
• Require Password Change at Next Logon
• Increase The Maximum Length of the Logon Alias
• Clear the Cached Copy of a User's Windows Password
• Enable Users to Reset Passwords After User and Token Export

Change a User's Password

You can change passwords for users whose accounts are in the internal database. You might perform this task if the security of the old password has been compromised. As an alternative, you can force the user to change the password at the next logon. In either case, the new password must meet the requirements defined by the password policy for the user's security domain.

To change passwords for users whose accounts are in an LDAP directory, use the LDAP directory native interface.

Procedure 

1. In the Security Console, click Identity > Users > Manage Existing.

2. Use the search fields to find the user that you want to edit. Some fields are case sensitive.

3. Click the user that you want to edit, and select Edit.

4. Enter the new password in the Password field.

5. Enter the new password again in the Confirm Password field.

6. Click Save.

Require Password Change at Next Logon

If a user's identity source is the internal database, you can force the user to change his or her password the next time the user logs on. As an alternative, you can specify a new password for the user yourself. The new password must meet the requirements defined by the password policy for the user's security domain.

Procedure 

1. In the Security Console, click Identity > Users > Manage Existing.

2. Use the search fields to find the user that you want to edit. Some fields may be case sensitive. For more information, see Search Fields That Are Not Case Sensitive.

3. Click the user that you want to edit, and select Edit.

4. Select Force Password Change.

5. Click Save.

Assign a User an Alias

A logon alias allows users to authenticate with their RSA SecurID token using User IDs other than their own. For example, suppose you assign the alias “root” to an administrator. In addition to logging on with a defaultUser ID, an administrator can log on using the User ID “root” and his own token. You can also prevent a user from authenticating with the default User ID and instead require that the user authenticate with an alias.

Before you begin 

Before you assign a user alias, your Super Admin should have done the following:

• Included a restricted or unrestricted agent in your deployment.

• If you plan to configure a logon alias, the user must belong to a user group that has access to a restricted agent or has been enabled on an unrestricted agent.

Procedure 

1. In the Security Console, click Identity > Users > Manage Existing.

2. Use the search fields to find the user with which you want to work.

3. Click the appropriate user, and select Authentication Settings.

4. Select whether you want to allow users to use their own User IDs or an alias.

5. Select the user group to which you want to assign the alias.

6. In the User ID field, enter the User ID that you want to assign to the alias.

7. In the Shell field, enter the shell that you want assigned to the alias.

8. If you are using RADIUS, from the RADIUS Profile drop-down menu, select the RADIUS profile to assign to the alias.

9. Click Add.

10. Click Save.

Increase The Maximum Length of the Logon Alias

A logon alias allows users to log on to RSA Authentication Manager with a user group ID, instead of their User IDs. By default, the maximum length of the logon alias is 48 characters, but a User ID can be longer. You can increase the maximum length of the logon alias to 100 characters.

Before you begin 

The following credentials are required:

• The rsaadmin password for the primary instance
• Operations Console administrator

Procedure 

1. Log on to the appliance with the User ID rsaadmin and the operating system password that you defined during Quick Setup.
   • On a hardware appliance, an Amazon Web Services appliance, or an Azure appliance, log on to the appliance using an SSH client.
   • On a virtual appliance, log on to the appliance using an SSH client, the VMware vSphere client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.

   To log on to the appliance operating system using Secure Shell (SSH), you must enable SSH.

   For instructions, see Enable Secure Shell on the Appliance.

2. Change directories to /opt/rsa/am/utils. Type:

   cd /opt/rsa/am/utils/

   and press ENTER.

3. Type:

   ./rsautil store -a update_config auth_manager.principalmgt.max_aliasname_length 100 GLOBAL 501

   where 100 is the new maximum length of the logon alias.

4. Press ENTER. You are prompted for the required options.
5. When prompted, enter your Operations Console administrator User ID, and press ENTER.
6. When prompted, enter your Operations Console administrator password, and press ENTER.

   The maximum length of the logon alias is increased.

   Note:  Although it is possible to enter the Operations Console administrator password on the command line, this creates a potential security vulnerability. RSA recommends that you enter passwords only when the utility presents a prompt.

7. Close the SSH client. Type exit and press ENTER.

Clear the Cached Copy of a User's Windows Password

If you enabled Windows password integration as part of an offline authentication policy, users' Windows passwords are saved by RSA Authentication Manager. Use this procedure to clear the saved copy of a user's Windows password.

When you enable Windows password integration, users can authenticate with only their Windows user name and RSA SecurID passcode.

Procedure 

1. In the Security Console, click Identity > Users > Manage Existing.

2. Use the search fields to find the user with which you want to work.

3. From the search results, click the user with which you want to work.

4. From the context menu, click Authentication Settings.

5. Select the Clear cached copy of selected user's Windows credential checkbox to clear a cached copy of a user's password.

6. Click Save.

Enable Users to Reset Passwords After User and Token Export

When users are exported from a deployment that uses an external identity source and imported to a deployment that uses the internal database, the users’ LDAP passwords are not imported. Password authentication is disabled in the target deployment. Before re-enabling these users for password authentication, you can allow users to reset their passwords using the Self-Service Console, as described in the following procedure. As an alternative, you can reset the passwords yourself.

Perform this task only if you are exporting from an external identity source to the internal database.

By default, a password is required for users in the internal database. If you have to edit the user record for any reason and the user has not reset the password, when you save the user record an error will indicate that the password is a required field. You can create a new password before saving the user record, or you can make the password optional.To make the password optional, see Edit the Internal Database.

Procedure 

1. In the target deployment, log on to the Security Console and click Set Up > Self Service Settings > Self Service Console Authentication.

2. Make sure the Console Authentication Method includes SecurID_Native and click Save.

3. From the Self-Service Settings page, click Enable or Disable Self Service Features.

4. Select Display Forgot your password link.

5. Click Save.

6. Inform the imported users that they need to perform these steps:

7. Log on to the Self-Service Console using a token.

8. Configure and answer security questions.

   Note:   Users’ security questions are only imported if the same questions are found on the target deployment. If the security questions cannot be found, they aren’t imported and users must configure their security questions and answers when they log on to the target deployment for the first time.

9. Log off the Self - Service Console.

10. Click the Forgot Your Password link on the log on page, answer the security questions, and change your password.